MedusaLocker

Malware updated 3 months ago (2024-11-29T13:56:04.655Z)

Download STIX

Preview STIX

MedusaLocker is a potent malware, first observed in 2019, that primarily targets the healthcare sector. It operates as a Ransomware-as-a-Service (RaaS), often using the double extortion method for monetary gain. This ransomware has been particularly effective during periods of disorder and confusion such as the COVID-19 pandemic, according to a February 2023 report by the US Department of Health and Human Services. MedusaLocker should not be confused with another similarly named RaaS, Medusa, which was first observed in 2021. A new variant of MedusaLocker was discovered by PCrisk, which appends the .crypto1317 extension and drops a ransom note named How_to_back_files.html. Like other ransomware, it terminates specific services by referencing a hardcoded list of services. This variant uses the same chat and leak site URLs as the original MedusaLocker ransomware. The Medusa group's RaaS platform, different from the original MedusaLocker, has been active since late 2022. The threat posed by MedusaLocker extends globally, with organizations being targeted by financially motivated threat actors. Cisco Talos analysis found instances of staggering $5 million ransom demands. The tool has been used by various ransomware operations, including AvosLocker, BlackCat, Trigona, and LockBit. These strains reflect global trends seen in Singapore's threat landscape, where LockBit, DeadBolt, and MedusaLocker are among the common models deployed.

Description last updated: 2024-10-04T17:16:21.339Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Medusa is a possible alias for MedusaLocker. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerou	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Encryption

Encrypt

RaaS

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Medusa Ransomware Malware is associated with MedusaLocker. Medusa ransomware, a malicious software program that debuted in late 2022, has been wreaking havoc by infiltrating systems and holding data hostage for ransom. This form of malware is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once insi	Unspecified	2
The Lockbit Malware is associated with MedusaLocker. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	2

Source Document References

Information about the MedusaLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 days ago	Medusa Ransomware Claims 40+ Victims in 2025
InfoSecurity-magazine	5 months ago	New MedusaLocker Ransomware Variant Deployed by Threat Actor
Securityaffairs	8 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
Securityaffairs	8 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
CERT-EU	a year ago	The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
CERT-EU	a year ago	Ransomware victims are being offered payment extension plans as groups ratchet up pressure \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Unit42	a year ago	Medusa Ransomware Turning Your Files into Stone
CERT-EU	2 years ago	Ransomware and phishing attacks continue to plague businesses in Southeast Asia \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers attack PhilHealth’s website, systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	The Week in Ransomware - October 20th 2023 - Fighting Back
CERT-EU	a year ago	Medusa Claims Canadian Psychological Association Cyberattack
Quick Heal Technologies Ltd.	a year ago	MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies
CERT-EU	a year ago	MEDUSA Cyber Attacks: Two New Victims Added To The List!
CERT-EU	a year ago	PhilHealth hit by ransomware – report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	2 years ago	The Week in Ransomware - March 10th 2023 - Police Take Action
CERT-EU	2 years ago	Nine looks for new cyber security director
CERT-EU	2 years ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang
CERT-EU	a year ago	Philippines state health org struggling to recover from ransomware attack
CERT-EU	a year ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	What doToyota's data breaches teach us about cybersecurity? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting